Smart Teddy Bear at Center of Recent Data Breach

Smart Teddy Bear at Center of Recent Data Breach

February 28, 2017         Written By John H. Oldshue

CloudPets, a line of Internet-connected stuffed animals for children, has been breached, and more than 800,000 user emails and passwords may have been exposed.

Earlier reports that more than two million children’s voice messages were also leaked are being denied by Spiral Toys, the creator of the product line.

“Were voice recordings stolen? Absolutely not,” Mark Myers, CEO of the company, told CIO.

CloudPets stuffed animals allow parents and grandparents to record greetings via a phone app, and then send the messages to their child’s toy. Children can then record a response. The toy is marketed to working parents and grandparents so they can stay connected with their children. However, critics of the toy have stated it is dangerous to store children’s voice recordings on the web, which is similar to the criticism leveled at Hello Barbie.

While the fact of whether voice recordings were exposed is debated, it seems certain that user emails and hashed passwords were exposed, according to security researcher Troy Hunt. In a blog post, Hunt explained how he was able to verify the information and said the hackers had attempted to ransom these login credentials in January.

While the passwords were hashed, which makes them more difficult to crack, CloudPets did not have any password strength requirements. This means many users chose simple passwords, which Hunt said he was able to easily crack by comparing them to common terms.

“Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” Hunt said.

Myers has admitted that malicious actors could obtain the voice recordings if they were able to guess the password, but has said, “We looked at it and thought it was a very minimal issue.”

CloudPets allegedly made an error when they stored user information in a publicly exposed online database that did not require a password to access, which allowed anyone to view and steal the information.

This is not the first leak of its type. Last year, VTech was hacked, and personal information, including kids’ pictures and chat logs, of 6.3 million customers was exposed.

The information contained within this article was accurate as of February 28, 2017. For up-to-date
information on any of the terms, cards or offers mentioned above, visit the issuer's website.


About John H. Oldshue

John Oldshue is the creator of He worked for over 15 years in television and won an Emmy award for his reporting. He covers credit card rate issues for
View all posts by John H. Oldshue
Featured Low Interest Card
Top Features : 1.25X miles on every purchase; no annual fee; bonus of 20,000 miles once $1,000 is spent in first 3 months
Featured No Annual Fee Card
Top Features : Earn cash back twice. 1% when you buy plus 1% as you pay; 0% APR for 18 months on balance transfers
Featured Bad Credit Card
Top Features : No Annual Fee; Cash Back match at the end of your first year; Social Security Alerts
Featured Fair Credit Card
Top Features : No annual fee; access to higher credit line after making first 5 monthly payments on time
Featured Limited/No Credit
Top Features : No annual fee; reports to major credit bureaus; access to higher credit line after making first 5 monthly payments on time
Featured Cash Back Card
Top Features : No Annual Fee, Bonus Offer, Cash Back